Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-2610

RBAC Tests failing on 6.6 server

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.3.0
    • testing
    • None
    • 1

    Description

      Some RBAC tests (that make use of the bindGroup() function) are erroring when trying to create the role in pre-7.0 server versions:

      unexpected status code: request failed PUT http://test-couchbase-85jh2-0000.test-couchbase-85jh2.test-2cbnd.svc:8091/settings/rbac/groups/bucket-role 400 Bad Request: {\"errors\":{\"roles\":\"Cannot assign roles to user because the following roles are unknown, malformed or role parameters are undefined: [data_reader]\"}}

      This is happening in all tests that make use of the function, for example TestRBACWithBucketScopedRolePre7.

      The same test passes in post-7.0, so I suspect that the ScopeRoleSpec or CollectionRoleSpec are being passed on and creating a malformed request in the eyes of 6.6.x (which does not understand collections or scopes.)

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          Ascending order - Click to sort in descending order
          justin.ashworth Justin Ashworth added a comment - - edited

          Hey Roo Thorp,

          I think this is because we added the scope_name and collection_name field to the UserRole model that gets serialized for the Couchbase API (/pkg/util/couchbaseutil/types.go) and it looks like we forgot the omitempty to the field tags.

          So after more digging, this doesn't seem to be the case.  I don't see any reason why this would happen,  could you turn on debug mode for the operator and give me some better output?  It looks like the bucket is being left off the role definition, which doesn't seem possible.  

          I spun up a 6.6.5 and a 7.0.3 cluster and reproduced the call that would generate your error:

          curl -v -X PUT -u couchbase:<REDACTED> http://<REDACTED>:8091/settings/rbac/users/local/jashworth -d password=Foo123! -d 'roles=data_reader'

          as you can see this leaves off the bucket definition in the request and results in your exact error message.  And to be clear, this request fails on both 6.6.5 and 7.0.3, so I'm not sure why the POST 7.0.0 test works and the PRE 7.0.0 test fails.

          So can you dig a bit deeper and see if you can provide me a set of logs for this error i can comb over?

          Thanks,

          Justin Ashworth

          justin.ashworth Justin Ashworth added a comment - - edited Hey Roo Thorp , I think this is because we added the scope_name and collection_name field to the UserRole model that gets serialized for the Couchbase API (/pkg/util/couchbaseutil/types.go) and it looks like we forgot the omitempty to the field tags. So after more digging, this doesn't seem to be the case.  I don't see any reason why this would happen,  could you turn on debug mode for the operator and give me some better output?  It looks like the bucket is being left off the role definition, which doesn't seem possible.   I spun up a 6.6.5 and a 7.0.3 cluster and reproduced the call that would generate your error: curl -v -X PUT -u couchbase:<REDACTED> http: //<REDACTED>:8091/settings/rbac/users/local/jashworth -d password=Foo123! -d 'roles=data_reader' as you can see this leaves off the bucket definition in the request and results in your exact error message.  And to be clear, this request fails on both 6.6.5 and 7.0.3, so I'm not sure why the POST 7.0.0 test works and the PRE 7.0.0 test fails. So can you dig a bit deeper and see if you can provide me a set of logs for this error i can comb over? Thanks, Justin Ashworth
          roo.thorp Roo Thorp added a comment -

          Hey Justin Ashworth,

          Off the bat, I should clarify that the same tests are not passing in 7.0.3; there is a Post7 and Pre7 variant of the test; the Post7 is passing, and the Pre7 is not. Unless I'm missing something obvious (totally possible!) it looks like the tests are the same, just Post7 also adds a scope and collection.

          I've run the tests with zap as verbose as possible, and attached the results for both a Pre7 fail and a Post7 pass. From what I can see, your above comment is correct; the passing test (TestRBACWithBucketScopedRolePost7)

          has the request body of:

          description=&ldap_group_ref=&roles=data_reader%5Bdefault%5D

          ...whereas the failing test (TestRBACWithBucketScopedRolePre7)

          has the body of:

          description=&ldap_group_ref=&roles=data_reader

          Hope this helps, let me know if you need more info from me.

          roo.thorp Roo Thorp added a comment - Hey Justin Ashworth , Off the bat, I should clarify that the same tests are not passing in 7.0.3; there is a Post7 and Pre7 variant of the test; the Post7 is passing, and the Pre7 is not. Unless I'm missing something obvious (totally possible!) it looks like the tests are the same, just Post7 also adds a scope and collection. I've run the tests with zap as verbose as possible, and attached the results for both a Pre7 fail and a Post7 pass. From what I can see, your above comment is correct; the passing test (TestRBACWithBucketScopedRolePost7) has the request body of: description=&ldap_group_ref=&roles=data_reader%5Bdefault%5D ...whereas the failing test (TestRBACWithBucketScopedRolePre7) has the body of: description=&ldap_group_ref=&roles=data_reader Hope this helps, let me know if you need more info from me.
          build-team Couchbase Build Team added a comment -

          Build couchbase-operator-2.3.0-243 contains couchbase-operator commit eff36cc with commit message:
          K8S-2610 - RBAC Tests failing on 6.6 Server

          build-team Couchbase Build Team added a comment - Build couchbase-operator-2.3.0-243 contains couchbase-operator commit eff36cc with commit message: K8S-2610 - RBAC Tests failing on 6.6 Server

          People

            roo.thorp Roo Thorp
            roo.thorp Roo Thorp
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty